1. Technical Field
The present invention generally relates to technology for acquiring forensic data stored in flash memory in a smart device and, more particularly, to technology for acquiring forensic data in the state in which only a boot loader and a Universal Serial Bus (USB) module are activated in order to guarantee the integrity of data.
2. Description of the Related Art
Recently, with the advent of various smart devices such as smart phones, smart TVs, and wearable devices, various technologies that are used for business purposes as well as personal purposes have appeared. As a result, the incidence of mobile crime, involving for example various malicious code and smishing, which are intended for smart devices, has rapidly increased, and thus the importance of mobile forensics has gradually increased. Therefore, research into methods for acquiring the entire contents of flash memory in order to restore deleted files and analyze details is required.
Conventional methods for acquiring data from smart devices have acquired data using a rooting method based on the vulnerability of a kernel. However, such methods do not support data acquisition for the latest Operating System (OS) until a new vulnerability is discovered because vulnerability to rooting is patched with the upgrade of an OS version. Further, with the application of security technology such as secure boot and Samsung's Knox, it has become more and more difficult to acquire data. Such a method is configured such that, after rooting, a data acquisition procedure is performed. During the rooting procedure, a system and data falsification procedure occurs, and thus a problem arises in that the integrity of the acquired flash memory data is not maintained.
As another data acquisition method, there is a method for acquiring data by replacing a custom recovery image. This method is a method of accessing a user data area by replacing only a recovery area, and relates to research into the guarantee of the integrity of the user data area. However, this method is problematic in that, since a custom recovery image is flashed, it is impossible to guarantee the integrity of dump images of the entire contents of flash memory.
Hardware-based acquisition methods may include a method utilizing a Joint Test Action Group (JTAG) port on a Printed Circuit Board (PCB). However, recently, for reasons of security, manufactures have a tendency to remove or deactivate a JTAG port on a PCB. As another hardware-based method for acquiring data, there is a method of removing flash memory from a given device (chip-off) and then acquiring data, but it is limited in that data may be acquired only when a power failure occurs or a fault occurs due to a problem such as damage to the smart device that contains evidence.
Korean Patent No. 1046025 discloses technology for extracting data from an embedded system. In particular, there is disclosed technology for extracting data from flash memory in the form of binary code using a JTAG interface on a PCB in an embedded system. However, Korean Patent No. 1046025 cannot acquire data in the state in which a JTAG port is connected to a JTAG emulator. In other words, when the JTAG port is deactivated, the disclosed technology cannot be used. In light of the recent tendency to deactivate the JTAG port on PCBs in smart devices in order to realize information protection, Korean Patent No. 1046025 has a fatal disadvantage in that the JTAG port must be essentially used.
Therefore, in response to the increased popularity of smart devices and the necessity to collect evidentiary data for evidence in solving crimes, technology that acquires forensic data without damaging a smart device containing evidentiary data is required.